Closed JAremko closed 6 years ago
It means that dockerized application can perform denial-of-service attack
at the docker host machine intentionally or accidentally. Seems serious ¯\_(ツ)_/¯
Doesn't docker swarm passthrough the kernel memory flag to the daemons? Is this somehow dropped in the swarm API?
There seems to be a kernel memory test: https://github.com/docker/swarm/blob/5b022f51e58ff391e95420b1cc82ae4e0734c338/test/integration/api/run.bats#L80
@vincentwoo
My docker:
Client:
Version: 17.11.0-ce-rc4
API version: 1.34
Go version: go1.8.3
Git commit: 587f1f0
Built: Thu Nov 16 01:28:14 2017
OS/Arch: linux/amd64
Server:
Version: 17.11.0-ce-rc4
API version: 1.34 (minimum version 1.12)
Go version: go1.8.3
Git commit: 587f1f0
Built: Thu Nov 16 01:26:44 2017
OS/Arch: linux/amd64
Experimental: false
This is what docker service create
has
Usage: docker service create [OPTIONS] IMAGE [COMMAND] [ARG...]
Create a new service
Options:
--config config Specify configurations to
expose to the service
--constraint list Placement constraints
--container-label list Container labels
--credential-spec credential-spec Credential spec for managed
service account (Windows only)
-d, --detach Exit immediately instead of
waiting for the service to converge
--dns list Set custom DNS servers
--dns-option list Set DNS options
--dns-search list Set custom DNS search domains
--endpoint-mode string Endpoint mode (vip or dnsrr)
(default "vip")
--entrypoint command Overwrite the default
ENTRYPOINT of the image
-e, --env list Set environment variables
--env-file list Read in a file of environment
variables
--group list Set one or more supplementary
user groups for the container
--health-cmd string Command to run to check health
--health-interval duration Time between running the check
(ms|s|m|h)
--health-retries int Consecutive failures needed to
report unhealthy
--health-start-period duration Start period for the container
to initialize before counting
retries towards unstable (ms|s|m|h)
--health-timeout duration Maximum time to allow one
check to run (ms|s|m|h)
--host list Set one or more custom
host-to-IP mappings (host:ip)
--hostname string Container hostname
-l, --label list Service labels
--limit-cpu decimal Limit CPUs
--limit-memory bytes Limit Memory
--log-driver string Logging driver for service
--log-opt list Logging driver options
--mode string Service mode (replicated or
global) (default "replicated")
--mount mount Attach a filesystem mount to
the service
--name string Service name
--network network Network attachments
--no-healthcheck Disable any
container-specified HEALTHCHECK
--no-resolve-image Do not query the registry to
resolve image digest and
supported platforms
--placement-pref pref Add a placement preference
-p, --publish port Publish a port as a node port
-q, --quiet Suppress progress output
--read-only Mount the container's root
filesystem as read only
--replicas uint Number of tasks
--reserve-cpu decimal Reserve CPUs
--reserve-memory bytes Reserve Memory
--restart-condition string Restart when condition is met
("none"|"on-failure"|"any")
(default "any")
--restart-delay duration Delay between restart attempts
(ns|us|ms|s|m|h) (default 5s)
--restart-max-attempts uint Maximum number of restarts
before giving up
--restart-window duration Window used to evaluate the
restart policy (ns|us|ms|s|m|h)
--rollback-delay duration Delay between task rollbacks
(ns|us|ms|s|m|h) (default 0s)
--rollback-failure-action string Action on rollback failure
("pause"|"continue") (default
"pause")
--rollback-max-failure-ratio float Failure rate to tolerate
during a rollback (default 0)
--rollback-monitor duration Duration after each task
rollback to monitor for
failure (ns|us|ms|s|m|h)
(default 5s)
--rollback-order string Rollback order
("start-first"|"stop-first")
(default "stop-first")
--rollback-parallelism uint Maximum number of tasks rolled
back simultaneously (0 to roll
back all at once) (default 1)
--secret secret Specify secrets to expose to
the service
--stop-grace-period duration Time to wait before force
killing a container
(ns|us|ms|s|m|h) (default 10s)
--stop-signal string Signal to stop the container
-t, --tty Allocate a pseudo-TTY
--update-delay duration Delay between updates
(ns|us|ms|s|m|h) (default 0s)
--update-failure-action string Action on update failure
("pause"|"continue"|"rollback") (default "pause")
--update-max-failure-ratio float Failure rate to tolerate
during an update (default 0)
--update-monitor duration Duration after each task
update to monitor for failure
(ns|us|ms|s|m|h) (default 5s)
--update-order string Update order
("start-first"|"stop-first")
(default "stop-first")
--update-parallelism uint Maximum number of tasks
updated simultaneously (0 to
update all at once) (default 1)
-u, --user string Username or UID (format:
<name|uid>[:<group|gid>])
--with-registry-auth Send registry authentication
details to swarm agents
-w, --workdir string Working directory inside the
container
Us I understand it docker service create
should have --kernel-memory=
option.
You're in the wrong repository - this is the one for the legacy swarm client.
@vincentwoo I had this suspicion, but I can't find the right one :smile:
https://github.com/docker/for-linux or https://github.com/moby/moby for the upstream
@thaJeztah thx
For the reference https://github.com/moby/moby/issues/28618
There is a solution finally https://gvisor.dev/docs/user_guide/docker/
It seems that without
--kernel-memory
flag docker swarm doesn't have a straightforward way to prevent "fork bomb" :confused: